> On Feb 28, 2022, at 3:29 PM, Bjørn Mork <bj...@mork.no> wrote: > Any recommendations for a CA with a published policy allowing an IP > address SAN (Subject Alternative Name)? > Both Quad9 got their certificate from DigiCert: > > Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 > 2020 CA1 > Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = > *.quad9.net > X509v3 Subject Alternative Name: > DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP > Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP > Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP > Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, > IP Address:149.112.112.12, IP Address:149.112.112.13, IP > Address:149.112.112.14, IP Address:149.112.112.15, IP > Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP > Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP > Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP > Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP > Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP > Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP > Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP > Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15 > > Does this mean that DigiCert is the only alternative?
I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further. > And do they really have this offer for ordinary users, or is this also some > special > arrangement for big players only? No, we didn’t have to do anything special, to the best of my knowledge. > That does make me wonder how they verify that I'm the rightful owner of > "sites, IP addresses, common names, etc.". In particular, "etc" :-) > Or you could ask yourself if you trust a CA with such an offer... Yep. DANE is the correct answer. CAs are not. But that’s been true for a very long time, and people are still trying to pretend that CAs know what’s what. -Bill
signature.asc
Description: Message signed with OpenPGP